de48918acf
Deploy Staging / build (push) Failing after 26m15s
- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard) - Seed route: require ADMIN_SECRET via x-admin-secret header - Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production - CORS middleware: add Vary: Origin header for caching correctness - MOCK_PAYMENTS: add NODE_ENV production guard - Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
42 lines
1.2 KiB
TypeScript
42 lines
1.2 KiB
TypeScript
import { NextResponse } from "next/server";
|
|
import type { NextRequest } from "next/server";
|
|
|
|
const ALLOWED_ORIGINS = [
|
|
"https://falahos.my",
|
|
"https://www.falahos.my",
|
|
"http://localhost:3000",
|
|
"http://localhost:4013",
|
|
"http://localhost:4014",
|
|
];
|
|
|
|
export function middleware(request: NextRequest) {
|
|
const origin = request.headers.get("origin") || "";
|
|
const isAllowed = !origin || ALLOWED_ORIGINS.includes(origin);
|
|
|
|
const response = NextResponse.next();
|
|
|
|
if (origin && isAllowed) {
|
|
response.headers.set("Access-Control-Allow-Origin", origin);
|
|
response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
|
|
response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
|
|
response.headers.set("Access-Control-Max-Age", "86400");
|
|
response.headers.set("Vary", "Origin");
|
|
} else if (origin && !isAllowed) {
|
|
response.headers.set("Access-Control-Allow-Origin", "https://falahos.my");
|
|
response.headers.set("Vary", "Origin");
|
|
}
|
|
|
|
if (request.method === "OPTIONS") {
|
|
return new NextResponse(null, {
|
|
status: 204,
|
|
headers: response.headers,
|
|
});
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
export const config = {
|
|
matcher: "/api/:path*",
|
|
};
|